github.com/cs3org/reva/v2@v2.27.7/pkg/storage/utils/grants/grants.go

github.com/cs3org/reva/v2@v2.27.7/pkg/storage/utils/grants/grants.go (about)

     1  // Copyright 2018-2021 CERN
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  //
    15  // In applying this license, CERN does not waive the privileges and immunities
    16  // granted to it by virtue of its status as an Intergovernmental Organization
    17  // or submit itself to any jurisdiction.
    18  
    19  package grants
    20  
    21  import (
    22  	"errors"
    23  	"strings"
    24  
    25  	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
    26  	"github.com/cs3org/reva/v2/pkg/storage/utils/acl"
    27  	"google.golang.org/protobuf/proto"
    28  )
    29  
    30  // GetACLPerm generates a string representation of CS3APIs' ResourcePermissions
    31  // TODO(labkode): fine grained permission controls.
    32  func GetACLPerm(set *provider.ResourcePermissions) (string, error) {
    33  	// resource permission is denied
    34  	if proto.Equal(&provider.ResourcePermissions{}, set) {
    35  		return "!r!w!x!m!u!d", nil
    36  	}
    37  
    38  	var b strings.Builder
    39  
    40  	if set.Stat || set.InitiateFileDownload {
    41  		b.WriteString("r")
    42  	}
    43  	if set.CreateContainer || set.InitiateFileUpload || set.Delete || set.Move {
    44  		b.WriteString("w")
    45  	}
    46  	if set.ListContainer || set.ListFileVersions {
    47  		b.WriteString("x")
    48  	}
    49  	if set.AddGrant || set.ListGrants || set.RemoveGrant {
    50  		b.WriteString("m")
    51  	}
    52  	if set.GetQuota {
    53  		b.WriteString("q")
    54  	}
    55  
    56  	if set.Delete {
    57  		b.WriteString("+d")
    58  	} else {
    59  		b.WriteString("!d")
    60  	}
    61  
    62  	return b.String(), nil
    63  }
    64  
    65  // GetGrantPermissionSet converts CS3APIs' ResourcePermissions from a string
    66  // TODO(labkode): add more fine grained controls.
    67  // EOS acls are a mix of ACLs and POSIX permissions. More details can be found in
    68  // https://github.com/cern-eos/eos/blob/master/doc/configuration/permission.rst
    69  func GetGrantPermissionSet(perm string) *provider.ResourcePermissions {
    70  	var rp provider.ResourcePermissions // default to 0 == all denied
    71  
    72  	if strings.Contains(perm, "r") && !strings.Contains(perm, "!r") {
    73  		rp.GetPath = true
    74  		rp.Stat = true
    75  		rp.InitiateFileDownload = true
    76  	}
    77  
    78  	if strings.Contains(perm, "w") && !strings.Contains(perm, "!w") {
    79  		rp.Move = true
    80  		rp.Delete = true
    81  		rp.PurgeRecycle = true
    82  		rp.InitiateFileUpload = true
    83  		rp.RestoreFileVersion = true
    84  		rp.RestoreRecycleItem = true
    85  		rp.CreateContainer = true
    86  	}
    87  
    88  	if strings.Contains(perm, "x") && !strings.Contains(perm, "!x") {
    89  		rp.ListFileVersions = true
    90  		rp.ListRecycle = true
    91  		rp.ListContainer = true
    92  	}
    93  
    94  	if strings.Contains(perm, "!d") {
    95  		rp.Delete = false
    96  		rp.PurgeRecycle = false
    97  	}
    98  
    99  	if strings.Contains(perm, "m") && !strings.Contains(perm, "!m") {
   100  		rp.AddGrant = true
   101  		rp.ListGrants = true
   102  		rp.RemoveGrant = true
   103  	}
   104  
   105  	if strings.Contains(perm, "q") && !strings.Contains(perm, "!q") {
   106  		rp.GetQuota = true
   107  	}
   108  
   109  	return &rp
   110  }
   111  
   112  // GetACLType returns a char representation of the type of grantee
   113  func GetACLType(gt provider.GranteeType) (string, error) {
   114  	switch gt {
   115  	case provider.GranteeType_GRANTEE_TYPE_USER:
   116  		return acl.TypeUser, nil
   117  	case provider.GranteeType_GRANTEE_TYPE_GROUP:
   118  		return acl.TypeGroup, nil
   119  	default:
   120  		return "", errors.New("no eos acl for grantee type: " + gt.String())
   121  	}
   122  }
   123  
   124  // GetGranteeType returns the grantee type from a char
   125  func GetGranteeType(aclType string) provider.GranteeType {
   126  	switch aclType {
   127  	case acl.TypeUser:
   128  		return provider.GranteeType_GRANTEE_TYPE_USER
   129  	case acl.TypeGroup:
   130  		return provider.GranteeType_GRANTEE_TYPE_GROUP
   131  	default:
   132  		return provider.GranteeType_GRANTEE_TYPE_INVALID
   133  	}
   134  }
   135  
   136  // PermissionsEqual returns true if the permissions are equal
   137  func PermissionsEqual(p1, p2 *provider.ResourcePermissions) bool {
   138  	return p1 != nil && p2 != nil && proto.Equal(p1, p2)
   139  }
   140  
   141  // GranteeEqual returns true if the grantee are equal
   142  func GranteeEqual(g1, g2 *provider.Grantee) bool {
   143  	return g1 != nil && g2 != nil && proto.Equal(g1, g2)
   144  }